Through VB code or ASP code is there a way to determine the NT Groups that
a user belongs to?

sure you can use ADSI - but we aware that you may need certain privs/rights
to achieve this. the following code is from my book:

strComputer = "MyServer" ' Use '.' for the local computer.
Set oComp = GetObject("WinNT://" & strComputer & ",computer")
oComp.Filter = Array("group")

For Each group In oComp
WScript.echo group.Name
iCount = 0
For Each member in group.members
WScript.echo " " & member.Name
iCount = iCount + 1
Next
If iCount = 0 Then WScript.echo " <none>"
Next

what are you trying to achieve?

"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>
>Through VB code or ASP code is there a way to determine the NT Groups that
>a user belongs to?

This returns the groups and users for a particular machine, how about the
users in a Domain group? We are wanting to create domain groups (not sure
if that is the right nomenclature) and use them as the security groups we
check for access to a pages on a local intranet.

The idea is instead of having to maintain users, groups and security settings
in a database indicating who has access to what pages; we use NT domain groups.
Then, using NT Challenge Response, we can check to see if the user hitting
a page is in the NT domain group that has rights to this page, if not then
send them back to their previous page or show a "nice" access denied page.
Our users are scattered throughout the US and we would like the local IS
groups to add the proper users to the groups, so we don't have to maintain
the large user-rights list.


"Michael Howard" <mikehow@microsoft.com> wrote:
>
>sure you can use ADSI - but we aware that you may need certain privs/rights
>to achieve this. the following code is from my book:
>
>strComputer = "MyServer" ' Use '.' for the local computer.
>Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>oComp.Filter = Array("group")
>
>For Each group In oComp
> WScript.echo group.Name
> iCount = 0
> For Each member in group.members
> WScript.echo " " & member.Name
> iCount = iCount + 1
> Next
> If iCount = 0 Then WScript.echo " <none>"
>Next
>
>what are you trying to achieve?
>
>"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>>
>>Through VB code or ASP code is there a way to determine the NT Groups that
>>a user belongs to?
>

From: http://www.windows-script.com/
<quotedStuff>
How do I detect what groups a user belongs to?

dsRoot = "WinNT://domain/userid"
set wshShell = Wscript.CreateObject("Wscript.Shell")
set dsObj = GetObject(dsRoot)
For Each Prop In dsobj.groups
wshshell.popup Prop.Name
Next 'Prop
</quotedStuff>

That should do it.
--
Eli Allen
eallen@bcpl.net



"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
news:3a9e60ba$1@news.devx.com...
>
> This returns the groups and users for a particular machine, how about the
> users in a Domain group? We are wanting to create domain groups (not sure
> if that is the right nomenclature) and use them as the security groups we
> check for access to a pages on a local intranet.
>
> The idea is instead of having to maintain users, groups and security
settings
> in a database indicating who has access to what pages; we use NT domain
groups.
> Then, using NT Challenge Response, we can check to see if the user
hitting
> a page is in the NT domain group that has rights to this page, if not then
> send them back to their previous page or show a "nice" access denied page.
> Our users are scattered throughout the US and we would like the local IS
> groups to add the proper users to the groups, so we don't have to maintain
> the large user-rights list.
>
>
> "Michael Howard" <mikehow@microsoft.com> wrote:
> >
> >sure you can use ADSI - but we aware that you may need certain
privs/rights
> >to achieve this. the following code is from my book:
> >
> >strComputer = "MyServer" ' Use '.' for the local computer.
> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
> >oComp.Filter = Array("group")
> >
> >For Each group In oComp
> > WScript.echo group.Name
> > iCount = 0
> > For Each member in group.members
> > WScript.echo " " & member.Name
> > iCount = iCount + 1
> > Next
> > If iCount = 0 Then WScript.echo " <none>"
> >Next
> >
> >what are you trying to achieve?
> >
> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
> >>
> >>Through VB code or ASP code is there a way to determine the NT Groups
that
> >>a user belongs to?
> >
>

actually, it's not QUITE as simple as all this - as this code does not take
into consideration any restricting SIDs in the user's token. if this is NT4,
then that's ok - there's no such thing as restricting SIDs in NT4, but on
Win2000 it can be problematic. there's an api in WIn2000 you can call named
CheckGroupMembership() that will do the work for you.


"Eli Allen" <eallen@bcpl.net> wrote:
>From: http://www.windows-script.com/
><quotedStuff>
>How do I detect what groups a user belongs to?
>
>dsRoot = "WinNT://domain/userid"
>set wshShell = Wscript.CreateObject("Wscript.Shell")
>set dsObj = GetObject(dsRoot)
>For Each Prop In dsobj.groups
> wshshell.popup Prop.Name
>Next 'Prop
></quotedStuff>
>
>That should do it.
>--
>Eli Allen
>eallen@bcpl.net
>
>
>
>"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
>news:3a9e60ba$1@news.devx.com...
>>
>> This returns the groups and users for a particular machine, how about
the
>> users in a Domain group? We are wanting to create domain groups (not
sure
>> if that is the right nomenclature) and use them as the security groups
we
>> check for access to a pages on a local intranet.
>>
>> The idea is instead of having to maintain users, groups and security
>settings
>> in a database indicating who has access to what pages; we use NT domain
>groups.
>> Then, using NT Challenge Response, we can check to see if the user
>hitting
>> a page is in the NT domain group that has rights to this page, if not
then
>> send them back to their previous page or show a "nice" access denied page.
>> Our users are scattered throughout the US and we would like the local
IS
>> groups to add the proper users to the groups, so we don't have to maintain
>> the large user-rights list.
>>
>>
>> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >
>> >sure you can use ADSI - but we aware that you may need certain
>privs/rights
>> >to achieve this. the following code is from my book:
>> >
>> >strComputer = "MyServer" ' Use '.' for the local computer.
>> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>> >oComp.Filter = Array("group")
>> >
>> >For Each group In oComp
>> > WScript.echo group.Name
>> > iCount = 0
>> > For Each member in group.members
>> > WScript.echo " " & member.Name
>> > iCount = iCount + 1
>> > Next
>> > If iCount = 0 Then WScript.echo " <none>"
>> >Next
>> >
>> >what are you trying to achieve?
>> >
>> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>> >>
>> >>Through VB code or ASP code is there a way to determine the NT Groups
>that
>> >>a user belongs to?
>> >
>>
>
>

You can set a restriction to prevent someone from being in a workgroup? So
if Workgroup A contains a smaller workgroup B and user C is in workgroup B
you can keep them out of workgroup A? But if that was true should ADSI be
able to tell the actual workgroups a member is part of?

Or are you referring to something else he was talking about? It sounds like
he just wants very basic ACLs set at the workgroup level and the users just
exist in a workgroup without any special privileges.
--
Eli Allen
eallen@bcpl.net

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3aa02c02$1@news.devx.com...
>
> actually, it's not QUITE as simple as all this - as this code does not
take
> into consideration any restricting SIDs in the user's token. if this is
NT4,
> then that's ok - there's no such thing as restricting SIDs in NT4, but on
> Win2000 it can be problematic. there's an api in WIn2000 you can call
named
> CheckGroupMembership() that will do the work for you.
>
>
> "Eli Allen" <eallen@bcpl.net> wrote:
> >From: http://www.windows-script.com/
> ><quotedStuff>
> >How do I detect what groups a user belongs to?
> >
> >dsRoot = "WinNT://domain/userid"
> >set wshShell = Wscript.CreateObject("Wscript.Shell")
> >set dsObj = GetObject(dsRoot)
> >For Each Prop In dsobj.groups
> > wshshell.popup Prop.Name
> >Next 'Prop
> ></quotedStuff>
> >
> >That should do it.
> >--
> >Eli Allen
> >eallen@bcpl.net
> >
> >
> >
> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
> >news:3a9e60ba$1@news.devx.com...
> >>
> >> This returns the groups and users for a particular machine, how about
> the
> >> users in a Domain group? We are wanting to create domain groups (not
> sure
> >> if that is the right nomenclature) and use them as the security groups
> we
> >> check for access to a pages on a local intranet.
> >>
> >> The idea is instead of having to maintain users, groups and security
> >settings
> >> in a database indicating who has access to what pages; we use NT domain
> >groups.
> >> Then, using NT Challenge Response, we can check to see if the user
> >hitting
> >> a page is in the NT domain group that has rights to this page, if not
> then
> >> send them back to their previous page or show a "nice" access denied
page.
> >> Our users are scattered throughout the US and we would like the local
> IS
> >> groups to add the proper users to the groups, so we don't have to
maintain
> >> the large user-rights list.
> >>
> >>
> >> "Michael Howard" <mikehow@microsoft.com> wrote:
> >> >
> >> >sure you can use ADSI - but we aware that you may need certain
> >privs/rights
> >> >to achieve this. the following code is from my book:
> >> >
> >> >strComputer = "MyServer" ' Use '.' for the local computer.
> >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
> >> >oComp.Filter = Array("group")
> >> >
> >> >For Each group In oComp
> >> > WScript.echo group.Name
> >> > iCount = 0
> >> > For Each member in group.members
> >> > WScript.echo " " & member.Name
> >> > iCount = iCount + 1
> >> > Next
> >> > If iCount = 0 Then WScript.echo " <none>"
> >> >Next
> >> >
> >> >what are you trying to achieve?
> >> >
> >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
> >> >>
> >> >>Through VB code or ASP code is there a way to determine the NT Groups
> >that
> >> >>a user belongs to?
> >> >
> >>
> >
> >
>

the problem is - you may be in group A, however, you may also have a restricting
sid which resicts A on acl checks. while the user is STILL a member of A,
ACL checks may behave differently owing the restricted SID.


"Eli Allen" <eallen@bcpl.net> wrote:
>You can set a restriction to prevent someone from being in a workgroup?
So
>if Workgroup A contains a smaller workgroup B and user C is in workgroup
B
>you can keep them out of workgroup A? But if that was true should ADSI
be
>able to tell the actual workgroups a member is part of?
>
>Or are you referring to something else he was talking about? It sounds
like
>he just wants very basic ACLs set at the workgroup level and the users just
>exist in a workgroup without any special privileges.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Michael Howard" <mikehow@microsoft.com> wrote in message
>news:3aa02c02$1@news.devx.com...
>>
>> actually, it's not QUITE as simple as all this - as this code does not
>take
>> into consideration any restricting SIDs in the user's token. if this is
>NT4,
>> then that's ok - there's no such thing as restricting SIDs in NT4, but
on
>> Win2000 it can be problematic. there's an api in WIn2000 you can call
>named
>> CheckGroupMembership() that will do the work for you.
>>
>>
>> "Eli Allen" <eallen@bcpl.net> wrote:
>> >From: http://www.windows-script.com/
>> ><quotedStuff>
>> >How do I detect what groups a user belongs to?
>> >
>> >dsRoot = "WinNT://domain/userid"
>> >set wshShell = Wscript.CreateObject("Wscript.Shell")
>> >set dsObj = GetObject(dsRoot)
>> >For Each Prop In dsobj.groups
>> > wshshell.popup Prop.Name
>> >Next 'Prop
>> ></quotedStuff>
>> >
>> >That should do it.
>> >--
>> >Eli Allen
>> >eallen@bcpl.net
>> >
>> >
>> >
>> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
>> >news:3a9e60ba$1@news.devx.com...
>> >>
>> >> This returns the groups and users for a particular machine, how about
>> the
>> >> users in a Domain group? We are wanting to create domain groups (not
>> sure
>> >> if that is the right nomenclature) and use them as the security groups
>> we
>> >> check for access to a pages on a local intranet.
>> >>
>> >> The idea is instead of having to maintain users, groups and security
>> >settings
>> >> in a database indicating who has access to what pages; we use NT domain
>> >groups.
>> >> Then, using NT Challenge Response, we can check to see if the user
>> >hitting
>> >> a page is in the NT domain group that has rights to this page, if not
>> then
>> >> send them back to their previous page or show a "nice" access denied
>page.
>> >> Our users are scattered throughout the US and we would like the local
>> IS
>> >> groups to add the proper users to the groups, so we don't have to
>maintain
>> >> the large user-rights list.
>> >>
>> >>
>> >> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >> >
>> >> >sure you can use ADSI - but we aware that you may need certain
>> >privs/rights
>> >> >to achieve this. the following code is from my book:
>> >> >
>> >> >strComputer = "MyServer" ' Use '.' for the local computer.
>> >> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>> >> >oComp.Filter = Array("group")
>> >> >
>> >> >For Each group In oComp
>> >> > WScript.echo group.Name
>> >> > iCount = 0
>> >> > For Each member in group.members
>> >> > WScript.echo " " & member.Name
>> >> > iCount = iCount + 1
>> >> > Next
>> >> > If iCount = 0 Then WScript.echo " <none>"
>> >> >Next
>> >> >
>> >> >what are you trying to achieve?
>> >> >
>> >> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>> >> >>
>> >> >>Through VB code or ASP code is there a way to determine the NT Groups
>> >that
>> >> >>a user belongs to?
>> >> >
>> >>
>> >
>> >
>>
>
>

Thanks! This is what I was looking for

"Eli Allen" <eallen@bcpl.net> wrote:
>From: http://www.windows-script.com/
><quotedStuff>
>How do I detect what groups a user belongs to?
>
>dsRoot = "WinNT://domain/userid"
>set wshShell = Wscript.CreateObject("Wscript.Shell")
>set dsObj = GetObject(dsRoot)
>For Each Prop In dsobj.groups
> wshshell.popup Prop.Name
>Next 'Prop
></quotedStuff>
>
>That should do it.
>--
>Eli Allen
>eallen@bcpl.net
>
>
>
>"DCarter" <daniel.carter@anhesuer-busch.com> wrote in message
>news:3a9e60ba$1@news.devx.com...
>>
>> This returns the groups and users for a particular machine, how about
the
>> users in a Domain group? We are wanting to create domain groups (not
sure
>> if that is the right nomenclature) and use them as the security groups
we
>> check for access to a pages on a local intranet.
>>
>> The idea is instead of having to maintain users, groups and security
>settings
>> in a database indicating who has access to what pages; we use NT domain
>groups.
>> Then, using NT Challenge Response, we can check to see if the user
>hitting
>> a page is in the NT domain group that has rights to this page, if not
then
>> send them back to their previous page or show a "nice" access denied page.
>> Our users are scattered throughout the US and we would like the local
IS
>> groups to add the proper users to the groups, so we don't have to maintain
>> the large user-rights list.
>>
>>
>> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >
>> >sure you can use ADSI - but we aware that you may need certain
>privs/rights
>> >to achieve this. the following code is from my book:
>> >
>> >strComputer = "MyServer" ' Use '.' for the local computer.
>> >Set oComp = GetObject("WinNT://" & strComputer & ",computer")
>> >oComp.Filter = Array("group")
>> >
>> >For Each group In oComp
>> > WScript.echo group.Name
>> > iCount = 0
>> > For Each member in group.members
>> > WScript.echo " " & member.Name
>> > iCount = iCount + 1
>> > Next
>> > If iCount = 0 Then WScript.echo " <none>"
>> >Next
>> >
>> >what are you trying to achieve?
>> >
>> >"DCarter" <daniel.carter@anhesuer-busch.com> wrote:
>> >>
>> >>Through VB code or ASP code is there a way to determine the NT Groups
>that
>> >>a user belongs to?
>> >
>>
>
>